Bug 2349 - extd_audit VFS log output problems - unexpected behaviour
Summary: extd_audit VFS log output problems - unexpected behaviour
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Config Files (show other bugs)
Version: 3.0.10
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Deryck Hodge
QA Contact: Samba QA Contact
Depends on: 3518
  Show dependency treegraph
Reported: 2005-02-15 15:54 UTC by Marco De Vitis
Modified: 2006-07-06 09:10 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Marco De Vitis 2005-02-15 15:54:25 UTC
Wanting to get detailed and clear logs of file/dir creation/open/save/deletion
on some shares, I'm trying to reach a well balanced setting of the extd_audit
VFS module, as the standard logs are a bit "too much" for me.
I'm using the following global parameters:

        log file = /var/log/samba/%m.%U.log
        syslog = 0
        log level = 0 vfs:2
        max log size = 0

The share I'm interested into has the following VFS parameter:

        vfs objects = recycle extd_audit

...plus some options for recycle, and of course other standard share definition

Using this configuration, according to the docs, nothing should go into syslog,
and samba logs - separated according to machine and user - should only contain
extd_audit output; quoting from the official howto:

Syslog can be used to record all transaction. This can be disabled by setting in
the smb.conf file syslog = 0.

Logging can take place to the default log file (log.smbd) for all loaded VFS
modules just by setting in the smb.conf file log level = 0 vfs:x, where x is the
log level. This will disable general logging while activating all logging of VFS
module activity at the log level specified.

Detailed logging can be obtained per user, per client machine, etc. This
requires the above together with the creative use of the log file settings. 

Instead, here is what I can see:

- extd_audit output is going to syslog only, and it does not contain info about
the user who executes the action, which makes it somewhat useless for multiuser
environments; ok, you can find out the user by looking at the PID, but it's not
an easy job if you are searching through megabytes of old logs;

- almost nothing is logged by extd_audit, regarding file reads! With 10 users
simultaneously connected and working on Windows 2000 Pro client machines, in 1
hour time only the following few operations have been logged:

feb  8 11:37:44 gpserver smbd_audit[24489]: open Personali/SMo/Martina/Martina
-1-COMPRESSA 2.jpg (fd 26)
feb  8 12:01:52 gpserver smbd_audit[24506]: open rsaenh.dll (fd -1) failed: No
such file or directory
feb  8 12:19:39 gpserver smbd_audit[24506]: open quasi.rl4 (fd -1) failed: No
such file or directory
feb  8 12:19:39 gpserver smbd_audit[24506]: open sicure.rl4 (fd -1) failed: No
such file or directory

...plus many failed opens of Desktop.ini, many opendirs and various 
connect/disconnnect messages.
I also expressly asked a user to open a specific JPG file in that share, she did
(I checked with ls -l --time=atime), and nothing was logged about it.

- only a few smbd errors are logged into Samba logs in /var/log/samba,
e.g. "couldn't find service" and "string overflow by 1".

This definitely is not the expected behaviour.
Comment 1 Eric Lester 2005-09-08 16:50:24 UTC
I'm having much the same experience using extd_audit.  I've observed that many
of the desired messages wind up in /var/log/messages rather than
/var/log/samba/%m.%U.log, and also that the user id is missing from the audited
operations, making the audit less than useful.  I have used the identical
settings described in Mr. De Vitis' report.
Comment 2 Oliver Schulze L. 2006-02-16 00:11:30 UTC
I looked a the ext_audit code and it seems that only syslog logging is available.
So, redirect all your audit messages, using syslog, to a file.

Later, grep the PID to find out which user realized the operations.
ext_audit: facility = LOCAL6 

*.info;mail.none;authpriv.none;cron.none;local6.none    /var/log/messages
local6.*            /var/log/local6.log

tail /var/log/local6.log
feb  8 11:37:44 gpserver smbd_audit[24489]: open Personali/SMo/Martina/Martina
-1-COMPRESSA 2.jpg (fd 26)

# to find out the user of the operation
grep 24489 /var/log/local6.log | grep connect

Comment 3 Gerald (Jerry) Carter (dead mail address) 2006-02-16 07:57:35 UTC
Deryck,  want to take a look at extending the log messages 
in the audit modules?
Comment 4 Levente Farkas 2006-03-20 06:50:57 UTC
we've got exactly the same result. when we set log level = 0 vfs:2 extd_audit don't show creation etc. while if we set log level = 2 then we got all kind og logs including extd_audit's creation etc.
Comment 5 Gerald (Jerry) Carter (dead mail address) 2006-07-06 08:20:02 UTC
closing.  recommended to use full_audit
Comment 6 Levente Farkas 2006-07-06 09:10:53 UTC
what is the full_audit??? i can't find it anywhere!